I’ve written before about the shaky state of Swedish cybersecurity, and I find myself drawn back to the subject—especially after a recent session with some very sharp minds working on the development of Cybercampus Sweden. One particular question lingered: Why is there relatively little innovation in this field? (A quick glance at this list demonstrates the gap.)

But after some thought, I realise that the real question isn’t about a lack of innovation. In fact, plenty of innovative solutions already exist. The real mystery is: Why are we so slow to adopt them?

Take, for instance, Google Analytics. Why do 85% of websites still use it, despite its known privacy issues? Alternatives like Plausible Analytics offer a free, privacy-friendly option, providing sufficient insight for most webmasters. Yet, Google Analytics reigns supreme.

Or why do we keep using Zoom and Teams – both of which have glaring security issues – when there are open source alternatives like Big Blue Button which can be self hosted and where there’s an army of idealistic developers constantly looking for flaws and shipping patches? (It’s not perfect, but it seems to be holding up pretty well).

Even more puzzling: Why store sensitive data on AWS—a platform that’s seen its fair share of breaches—when alternatives like NextCloud allow you to spin up a private, self-controlled cloud?

Sure, any cloud (public or private) can be hacked, but private clouds at least mitigate risks by keeping data on your own servers. This means there’s less risk of foreign intelligence agencies demanding backdoor access.

And this trend continues:

• Why use Windows instead of Linux, when professionals agree that Linux offers superior security?

• Why use Slack when an on-premise installation of the open-source alternative Mattermost is far more secure?

The real problem isn’t a thoughtful trade-off between usability and security. If that were the case, we could justify these choices by prioritising user experience (UX) over security. But this isn’t happening.

For example, compare iOS to Android: despite Android sending 20 times more data to Google than iPhones send to Apple, the iPhone clearly wins on both security and UX. So what’s going on?

I find myself thinking of an old Bible quote:

“I do not understand what I do. For what I want to do, I do not do. But what I hate, I do.”
—Romans 7:15

And there it is—the truth that’s been staring us in the face all along. There’s no grand mystery, just human nature. We cling to the familiar because change is hard. We know how to get to a more secure digital environment, but the journey is fraught with friction and effort.

In the end, the cybersecurity crisis isn’t too complex to solve—it’s just a lot of hard work.

Even if we committed to this effort—which would rival the scale of the Paris Agreement—it wouldn’t be enough. Strengthening our digital infrastructure would be a significant victory, but it would only mark the end of the beginning, as Churchill might put it. From there, true innovation must take flight—from developing business models to support open-core projects, to creating secure ways to train AI models on sensitive data. The list goes on, but those challenges are the subject of another conversation.